Add to collection(s) Add to saved
  1. Arts & Humanities
  2. Communications
  3. Marketing

Credit Card Merchant On-Site Assessment

advertisement 
Longwood University
Annual Credit Card Merchant Assessment
Merchant Name
Date
Merchant Fiscal Contact
Phone Number
Merchant Number(s)
Credit Card Brands Accepted
☐Visa ☐ MasterCard
☐ American Express ☐ Discover
SAQ Level
Last Attestation Date
1
By what method(s) do you accept credit cards?
☐In person ☐Mail ☐Fax ☐Phone ☐Email
☐Online
☐Other
2
If you accept credit cards in person, do you have a pointof-sale (POS) terminal to accept credit card payments?
☐Yes – POS terminal connected to internet
☐Yes – POS dial-out terminal via analog phone line
☐N/A
2.1
Is the credit card number truncated on both the
customer’s and merchant’s printed receipt?
(last four recommended)
Who is responsible for daily batch settlement?
2.2
2.3
What type of information is available on the daily batch
settlement printed from the POS terminal?
2.4
Where is the daily batch settlement and merchant copy of
receipts stored?
3
4.1
If you accept credit cards in person through a swipe
device, please provide:
Is credit card data entered via computer terminal into a 3rd
party website on behalf of the consumer?
If yes, please provide:
4.2
Is the computer terminal connected to any other system?
4
☐Yes
☐No
Name:
Title:
☐Itemized sales by customer with full 16 digit credit card
number listed
☐Itemized sales by customer but credit card number is not
listed or is truncated
☐Summarized sales for the batch but sales are not itemized
by credit card number/customer
☐Other
☐Unlocked filing cabinet/desk
☐Locked filing cabinet/desk
☐Other, specify:
Manufacturer:
Model Number:
☐Yes
☐No
Terminal Type:
Longwood Tag Number:
☐Yes
☐No
Page 1 of 4
4.3
4.4
5
6
7
8
9
10
11
12
13
13.1
Is credit card data entered ONLY via a secured terminal
identified with a “PCI Secure Workstation” sticker?
If your terminal is connected via the internet to a 3rd party
who processes the credit card sale, have you confirmed
they are PCI DSS compliant?
Provide the name of the 3rd party.
If your department accepts credit cards online, what is the
web address?
Do you use a hosted solution where the customer is passed
to a 3rd party to enter credit card information?
If yes, provide the name of the 3rd party.
Do customers enter their credit card information on an LU
domain and then get passed to a 3rd party for
authorization?
Are you interested in learning about the University’s
hosted solution for accepting credit cards online?
If you receive cardholder data via fax, is the fax machine in
a secured area and are faxed documents destroyed
immediately after the transaction is processed?
For transactions executed over the phone, please provide
a copy of the form used to collect credit card data.
Do you process credit card information left on a voice
message?
If cardholder data is received through email, is the
transaction processed?
If you utilize a 3rd party service provider to transmit, store
or process credit card information, have you confirmed
them to be compliant with PCI DSS?
16.2
Please provide a list of all service providers and proof of
PCI compliance.
Do you have any kiosks?
Is credit card data stored on a Longwood device or system,
or on Longwood premises?
If yes, explain.
Do you store or retain any reports, receipts or written
documentation with credit card numbers?
If yes, do reports or receipts contain the full 16 digit credit
card number?
If yes, where is documentation stored?
16.3
If yes, how long do you store documentation?
17
17.1
Do you destroy documentation immediately after
authorization?
Explain how documentation is destroyed.
18
Do you electronically store credit card data?
14
15
16
16.1
☐Yes
☐No
☐Yes
☐No
☐N/A
Web Address:
☐Yes
☐No
☐Yes
☐No
☐Yes
☐No
☐Already Using
☐Yes
☐No
☐N/A
☐N/A
☐Yes
☐No
☐Yes
☐No
☐Yes
☐No
☐ University preferred solution
☐Yes
☐No
☐Yes
☐No
☐Yes
☐No
☐Yes
☐No
☐Unlocked filing cabinet/desk
☐Locked filing cabinet/desk or safe
☐Other, specify:
☐Less than 1 year
☐3 years
☐Current Fiscal Year
☐> 3 years
☐2 years
☐Yes
☐No
☐N/A
☐Mark-through
☐Shred
☐Cross-cut shred
☐Yes
☐No
Page 2 of 4
18.1
If yes, where/how is credit card data electronically stored?
18.2
What type of credit card data is stored?
19
Are appropriate controls in place to limit physical access to
systems and devices in the cardholder data environment?
Are all media (electronic or paper) containing cardholder
data kept in a secure and restricted area, away from public
access?
Is a unique password assigned to each person with access
to payment card processing?
What are the password change requirements?
(PCI states 90 days)
Is access restricted to paper and electronic media with
credit card numbers and to systems that collect, store or
process credit card information to only those individuals
whose jobs require such access?
Do you send receipts and other documentation with full
credit card numbers to offsite storage?
If yes, how long is it stored?
Do you have written credit card handling procedures, to
include data retention and disposal procedures (if
applicable)?
If yes, attach a copy.
Are you familiar with the University’s Payment Card
Security Policy #1015 and applicable procedures?
Are you familiar with the University’s Funds Handling and
Deposit Policy #4305?
Do you keep the Director of Cashiering & Student Accounts
aware of changes in your payment card program?
Do you have a security awareness training program on the
importance of cardholder data security for employees
involved with credit card sales?
If yes, how frequently is it offered?
Provide documentation verifying that all individuals
involved in credit card activities receive training.
(Should be offered at least annually, and must be
documented to be valid.)
Do you require employees to acknowledge, at least
annually, that they have read and understand Longwood
policies/procedures on payment card processing?
If yes, please provide copies of Payment Card Security and
Confidentiality Agreement.
Are you familiar with University Policy 6131 – Security
Awareness and Training?
Are you familiar with the following Information Security
policies?
6104 – Acceptable Use of Information Technology
Resources and Systems
6105 – Access to Information Technology Resources and
Systems
6119 – Password Management
20
21
21.1
22
23
24
25
26
27
28
29
30
31
32
☐Departmental Server ☐Other, specify:
☐Personal Computer
☐Credit Card Number
☐Card Expiration Date
☐Magnetic Stripe Data
☐Card Validation Code
☐Other, specify:
☐Yes
☐No
☐Yes
☐No
☐N/A
☐Yes
☐No
☐N/A
☐Yes
☐No
☐N/A
☐Yes
☐No
☐Yes
☐No
☐Yes
☐ No
☐Yes
☐No
☐Yes
☐No
☐Yes
☐No
☐Annually
☐New hire
☐Yes
☐No
☐Yes
☐No
☐Yes
☐No
Page 3 of 4
6127 – Physical Access
6132 – Incident Response
Merchant Fiscal Contact Signature
Reviewed By
Date
Notes:
Page 4 of 4
Related documents
University of North Carolina Wilmington Credit Card Acceptance Questionnaire
University of North Carolina Wilmington Credit Card Acceptance Questionnaire
Credit Card Authorization form
Credit Card Authorization form
Accepting Payments Securely Securely -- Online and off Online and off
Accepting Payments Securely Securely -- Online and off Online and off
PCI DSS Primer
PCI DSS Primer
Download
advertisement